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(54) Data communication system 

(57) A system for decrypting an encrypted message 
comprises first and second decryption devices, the first 
decryption device having a higher security than the sec- 
ond decryption device. The system further comprises 
means for dividing the encrypted message into blocks, 
and means for providing at least the first block of the 
message to the first decryption device and for providing 
a plurality of further blocks of this message to the sec- 
ond decryption device. An output of the first decryption 
device is used as input of the second decryption device. 
The second decryption device operates according to a 
block chaining method for decrypting the plurality of fur- 
ther blocks. 
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Description 

[0001] The invention generally relates to a data com- 
munication system, and more specifically to a system 
and method for decrypting an encrypted message and a 
method for broadcasting data. 
[0002] Such systems are known in various embodi- 
ments and are for example used in a decoder with a 
conditional access module for pay TV. Generally a 
secret key is required for decrypting the message, 
wherein decryption is carried out in a security device in 
order to prevent unauthorized persons to access the 
secret key. As security device a smart card can be used, 
for example. Such a known system using a smart card 
for decrypting the message shows the disadvantage 
that the security device has a restricted computing 
capacity. On the other hand on many locations a com- 
puter system with high computing capacity is available, 
however such systems are easily accessible for unau- 
thorized persons. 

[0003] The invention aims to provide a system of the 
above-mentioned type with a combination of high secu- 
rity and high computing capacity. 
[0004] To this end the system for decrypting an 
encrypted message according to the invention com- 
prises first and second decryption devices, the first 
decryption device having a higher security than the sec- 
ond decryption device, means for dividing the encrypted 
message into blocks, and means for providing at least 
the first block of the message to the first decryption 
device and for providing a plurality of the further blocks 
of this message to the second decryption device, 
wherein an output of the first decryption device is used 
as input of the second decryption device, said second 
decryption device operating according to a block chain- 
ing method for decrypting said plurality of further blocks. 
[0005] In this manner a system is provided wherein 
the first decryption device having a higher security is 
used for decrypting a first block of the message only 
whereafter the remaining part of the message is 
decrypted by the second decryption device which can 
have a high computing capacity. The second decryption 
device can have a low security as the use of a block 
chaining method makes the insecure decryption device 
as secure as the first decryption device. 
[0006] In order to further enhance security the provid- 
ing means provides each X th block to the first decryption 
device according to a further embodiment of the inven- 
tion. It is noted that the term x th block means that the 
number of intermediate blocks is not fixed, i.e. may very 
as desired. 

[0007] The invention further provides a method for 
decrypting an encrypted message, comprising the 
steps of dividing a message into blocks, decrypting at 
least the first block in a first decryption device, decrypt- 
ing a plurality of further blocks in a second decryption 
device, the first decryption device having a higher secu- 
rity than the second decryption device, using an output 



of the first decryption device as input of the second 
decryption device and operating the second decryption 
device according to a block chaining method. 
[0008] The invention will be further explained by refer- 
5 ence to the drawing in which an embodiment of the sys- 
tem of the invention is shown in a very schematics 
manner. 

[0009] A system for decrypting a message, for exam- 
ple the encrypted payioad in a pay TV transport stream, 

10 comprises a first decryption device 1 and a second 
decryption device 2. The first decryption device has a 
very high security and is made for example as a smart 
card. In the smart card a secret key is stored for decryp- 
tion purposes. The second decryption device 2 has a 

15 low security and can be a PC or a microprocessor in a 
conditional access module or the like. 
[0010] "Hie system further comprises means 3 for 
dividing a message received into blocks, wherein the 
means 3 provides at least the first block to the first 

20 decryption device 1 and a plurality of the further blocks 
of the message to the second decryption device 2. The 
first block is decrypted by the device 1 according to the 
decryption algorithm used and the dear text output is 
forwarded to the second decryption device 2. The sec- 

25 ond decryption device 2 decrypts the further blocks 
according to an error-propagating block chaining 
method using the clear text output of the device 1 as ini- 
tialisation vector. In this manner the insecure device 2 is 
made as secure as the first device 1 . 

30 [001 1 ] If desired the means 3 can be arranged in such 
a manner that each X th block is decrypted by the first 
decryption device 1 . 

[0012] It is noted that instead of an error-propagating 
block chaining method another block chaining method 

35 can be used, although an error-propagating method is 
preferred. Further, the first device could provide a par- 
tially decrypted result as output to the second device. In 
that case the second device would first complete the 
decryption operation and would then operate according 

40 to the block chaining method used. 

[001 3] The system described can advantageously be 
used in a pay TV system, wherein entitlement control 
messages ECMs are used to distribute keys to sub- 
scribers, which keys are used to scramble the data. Of 

45 course, these ECMs are also encrypted, preferably by 
using another key, for example a group key. According 
to a prefered embodiment the data to be distributed is 
divided into blocks as described, wherein the first block 
and if desired each x th block of data is scrambled using 

so a first key CW1 and wherein the further blocks are 
scrambled using a second key CW2 in a block chaining 
method using the first block and if applicable each X th 
block as input vector. Both keys CW1 and CW2 are dis- 
tributed by means of the ECMs. 

55 [0014] At the subscribers the ECMs are provided to 
the first decryption device or smart card 1 in a usual 
manner. The smart card 1 decrypts the ECMs and uses 
the key CW1 to descrambie the first block of data (and 
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each x th block) received from the means 3. The second 
key CW2 and the first and x th blocks are delivered to the 
second security device 2, in this case a control access 
module for example, to descramble the further blocks of 
data according to the block chaining method used in the 
system, in this manner it is prevented that the key CW1 
which generally contains of 64 bits only, is accessible to 
unauthorized persons for distribution to other unauthor- 
ized persons for descrambiing the payload data. 
[0015] The system and method described are partic- 
ularly suitable to prevent a form of piracy which is known 
in the pay TV industry as "hook" piracy. In this type of 
piracy the key or control word CW which is used to 
encrypt the data and which has been determined by a 
pirate, is rebroadcast by the pirate to receivers which 
already receive the scrambled data. These receivers 
then use the key to descramble the data, thereby cir- 
cumventing the conditional access system of the broad- 
casting organisation. In pay TV environment this form of 
piracy has never gained wide usage due to the logistical 
problems of setting up a broadcast network to rebroad- 
cast the key. 

[001 6] However, with increasing usage of the internet 
also for multicasting of broadcasting data, the terminals 
receiving the scrambled data from the internet can 
receive data from virtually any other source on the inter- 
net simultaneously. Therefore, it is possible to receive 
the keys required to decrypt the data from an other 
source, thereby circumventing the conditional access 
system. Rebroadcasting the key only requires a few bits 
per second bandwidth thereby making the conditional 
access system of the data broadcasters vulnerable. 
[0017] Although a possible solution to this problem 
would be to perform the descrambiing of the data 
entirely within the smart card or any other secure 
device, the ability of a smart card to handle data at high 
data rates is limited. The current standard bit rate for 
communicating with a smart card is 9600 bit/s. The real 
payload throughput is in fact much lower due to over- 
heads on the serial link between the smart card and the 
conditional access module or the like. 
[0018] According to the invention the data to be broad- 
casted is first divided into blocks and then at least the 
first data block is encrypted using a first secret key and' 
thereafter a plurality of the further data blocks is 
encrypted according to an error-propagating block 
chaining method using the first data block as input vec- 
tor in a high speed scrambler unit. The scrambled data 
obtained in this manner is broadcasted and can be 
descrambled or decrypted in the above described man- 
ner. Although the pirate could rebroadcast the output of 
the smart card, i.e. the descrambled first data block the 
bandwidth required for rebroadcasting by the pirate is 
effectiviiy increased to the maximum rate which is pos- 
sible on the interface between smart card and condi- 
tional access module or the like. As stated above, the 
amount of data required for rebroadcasting is thereby 
increased to several kilobits per second as opposed to 



the few bits per second required for key redistribution. 
With newer smart card technology this can be increased 
to hundreds of kilobits per second. In this manner 
rebroadcasting will generally be effectively prevented. 
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Claims 

1. System for decrypting an encrypted message, 
comprising first and second decryption devices, the 

io first decryption device having a higher security than 
the second decryption device, means for dividing 
an encrypted message into blocks, and means for 
providing at least the first block of a message to the 
first decryption device and for providing a plurality 

is of the further blocks of this message to the second 
decryption device, wherein an output of the first 
decryption device is used as input of the second 
decryption device, said second decryption device 
operating according to a block chaining method for 

20 decrypting said plurality of further blocks. 

2. System according to claim 1 , wherein said provid- 
ing means provides each x th block to the first 
decryption device. 

25 

3. System according to claim 1 or 2, wherein said sec- 
ond decryption device operates according to an 
error-propagating block chaining method. 

30 4. System according to anyone of the preceding 
claims, wherein the first decryption device provides 
a clear text output. 

5. System according to claim 1, 2 or 3, wherein the 
35 first decryption device provides a partially 

decrypted output, wherein the second decryption 
device first completes the decryption operation. 

6. System according to anyone of the preceding 
40 claims, wherein the computing speed of said sec- 
ond decryption device is higher than the computing 
speed of the first decryption device. 

7. Method for distributing data in a system with a 
45 number of receivers, comprising the steps of divid- 
ing the data into blocks, encrypting at least the first 
block using a first key and encrypting a plurality of 
the further blocks according to a block chaining 
method using the first block as input vector, distrib- 

50 uting the encrypted data to the receivers and dis- 
tributing the first key in an encrypted message to 
the receivers. 

8. Method according to claim 7, comprising the steps 
55 of receiving the encrypted data and the first key at 

a receiver, dividing the encrypted data into blocks, 
decrypting at least the first block in a first decryption 
device using the first key, decrypting a plurality of 
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further blocks in a second decryption device, the 
first decryption device having a higher security than 
the second decryption device, using an output of 
the first decryption device as input to the second 
decryption device and operating the second § 
decryption device according to said block chaining 
method. 

9. Method according to claim 7 or 8, wherein a second 
key is used in the block chaining method to encrypt 
said plurality of further blocks, wherein the first and 
second keys are distributed to the receivers in an 
encrypted message, the encrypted message being 
decrypted by the first decryption device, wherein 
the first decryption device forwards the second key 
and the first block to the second device. 

10. Method according to claim 7, 8 or 9, wherein the 
first and each x m block are encrypted using the first 
key or decrypted in the f irst decryption device using 20 
the first key, respectively. 
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